Vulnerability DatabaseCVE-2025-46805

CVE-2025-46805:
Linux Debian vulnerability analysis and mitigation

Overview

Screen version 5.0.0 and older version 4 releases contain a time-of-check/time-of-use (TOCTOU) race condition vulnerability when installed setuid-root. The vulnerability was discovered in May 2025 and affects the signal handling functionality in Screen, specifically in socket.c where signals are sent to user-supplied PIDs in setuid-root context (MITRE CVE, OpenWall).

Technical details

The vulnerability exists in the CheckPid() function which drops privileges to the real user ID and tests whether the kernel allows sending a signal to the target PID using these credentials. However, the actual signal is sent later via Kill(), potentially using full root privileges. This creates a race condition where the PID that was previously checked could have been replaced by a different, privileged process. The issue resulted from an incomplete fix for CVE-2023-24626. The vulnerability has been assigned a CVSS v4.0 Base Score of 5.7 (Medium) according to SUSE's assessment (NVD Entry, SUSE Bugzilla).

Impact

The vulnerability allows sending SIGCONT and SIGHUP signals to privileged processes through a race condition. The primary impact is limited to local denial of service or minor integrity violations. It might also be possible to trick the privileged Screen daemon process into sending signals to itself, since a process is always allowed to send signals to itself (OpenWall).

Mitigation and workarounds

The issue can be addressed by sending the actual signal with real UID privileges, just like CheckPid() does. A patch has been provided that implements this fix. Additionally, it is recommended not to install Screen with setuid-root privileges at all, as this significantly reduces the attack surface (OpenWall).

Community reactions

The vulnerability was discovered during a comprehensive security audit by the SUSE Security Team. The disclosure process faced some challenges with upstream coordination, taking longer than initially expected. The security community has emphasized the importance of proper privilege handling in setuid-root binaries (OpenWall).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

5.7

Score

Published May 26, 2025

Severity MEDIUM

CNA Score 5.7

Affected Technologies

Linux Debian
Linux Red Hat

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 2

Exploitation Probability (EPSS) N/A

Affected packages and libraries

screen
seal-screen

Sources

NVD
Alpine Security Tracker
- Alpine 3.18, 3.19, 3.20, 3.21, edge Severity MEDIUMHas FixAdded at: May 15, 2025
- Alpine 3.22 Severity MEDIUMHas FixAdded at: Jun 01, 2025
- Alpine 3.23 Severity MEDIUMHas FixAdded at: Dec 04, 2025
Debian Security Tracker
- Debian 11, 12 Severity LOWNo FixAdded at: May 13, 2025
- Debian 13 Severity LOWHas FixAdded at: May 13, 2025
- Debian 14 Severity LOWHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity MEDIUMHas FixAdded at: Nov 18, 2025
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: May 14, 2025
Seal Security
- Red Hat 6, 7 Severity MEDIUMHas FixAdded at: Nov 18, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Linux Debian vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-61729	HIGH	7.5	Docker	go	No	Yes	Dec 02, 2025
CVE-2025-66293	HIGH	7.1	OpenJDK JDK	java-17-openjdk-headless-slowdebug	No	No	Dec 03, 2025
CVE-2025-39665	MEDIUM	6.9	Linux Debian	nagvis	No	No	Dec 03, 2025
CVE-2025-61727	MEDIUM	6.5	Docker	golang-1.24	No	Yes	Dec 03, 2025
CVE-2025-66453	MEDIUM	5.5	Java	org.mozilla:rhino	No	Yes	Dec 03, 2025